PSInclude Remote Arbitrary Command Execution Vulnerability
BID:10006
Info
PSInclude Remote Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 10006 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 30 2004 12:00AM |
| Updated: | Mar 30 2004 12:00AM |
| Credit: | Discovery of this vulnerability has been credited to Haris Tbr. |
| Vulnerable: |
psyon.org psInclude 1.41 |
| Not Vulnerable: |
psyon.org psInclude 1.42 |
Discussion
PSInclude Remote Arbitrary Command Execution Vulnerability
psInclude has been reported prone to a remote arbitrary command execution vulnerability.
The psInclude cgi application receives and processes one URI parameter, this parameter is named "template". Due to a lack of sufficient sanitization performed on the "template" parameter, it is possible for an attacker to supply shell metacharacters and commands as its value.
A remote attacker may exploit this condition to execute arbitrary commands in the context of the web server that is hosting the vulnerable application.
psInclude has been reported prone to a remote arbitrary command execution vulnerability.
The psInclude cgi application receives and processes one URI parameter, this parameter is named "template". Due to a lack of sufficient sanitization performed on the "template" parameter, it is possible for an attacker to supply shell metacharacters and commands as its value.
A remote attacker may exploit this condition to execute arbitrary commands in the context of the web server that is hosting the vulnerable application.
Exploit / POC
PSInclude Remote Arbitrary Command Execution Vulnerability
There is no exploit required.
There is no exploit required.
Solution / Fix
PSInclude Remote Arbitrary Command Execution Vulnerability
Solution:
This issue has been addressed in psInclude 1.42.
psyon.org psInclude 1.41
Solution:
This issue has been addressed in psInclude 1.42.
psyon.org psInclude 1.41
-
psyon.org psInclude142.zip
http://www.psyon.org/projects/psinclude/psinclude142.zip
References
PSInclude Remote Arbitrary Command Execution Vulnerability
References:
References:
- psInclude Homepage (psyon.org)